Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Security firm exploits Chrome zero-day to hack browser, escape sandbox

Gregg Keizer | May 9, 2011
Posts video demo of attack that relies on one or more zero-day vulnerabilities in Google browser.

Other security experts reacted today to the news of one or more Chrome zero-days, and to Vupen's practice of providing details only to its clients.

"I suppose that means we have a known Chrome 0-day floating around. That's fun," said Jeremiah Grossman, CTO of WhiteHat Security, in a Twitter message today.

"That also means for that the [government] is outbidding Google for bug bounties," Grossman added in a follow-up tweet.

"For now, the [government] still has more money than Google," chimed in Charlie Miller, the only researcher who has won cash prizes at four straight Pwn2Own contests.

Google, like rival browser maker Mozilla, runs a bounty program that pays independent researchers for reporting flaws in Chrome. Last month, Google paid out a record $16,500 in bounties for bugs it patched in a single update. In the first four months of 2011, Google spent more than $77,000 on bug bounties.

Google cited Vupen's policy of not reporting flaws as the reason it could not verify the French firm's assertions.

"We're unable to verify Vupen's claims at this time as we have not received any details from them," a Google spokesman said. "Should any modifications become necessary, users will be automatically updated to the latest version of Chrome."


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.